[Pkg-cups-devel] r759 - in cupsys/trunk: . debian debian/patches
Martin Pitt
mpitt at alioth.debian.org
Tue Apr 22 09:09:37 UTC 2008
Author: mpitt
Date: Tue Apr 22 09:09:37 2008
New Revision: 759
Log:
* Add debian/patches/CVE-2008-1722.dpatch: Two integer overflows in png
image filter allow a denial of service attack and possibly arbitrary code
execution. [STR #2790, CVE-2008-1722] (Closes: #476305).
Added:
cupsys/trunk/debian/patches/CVE-2008-1722.dpatch
Modified:
cupsys/trunk/ (props changed)
cupsys/trunk/debian/changelog
cupsys/trunk/debian/patches/00list
Modified: cupsys/trunk/debian/changelog
==============================================================================
--- cupsys/trunk/debian/changelog (original)
+++ cupsys/trunk/debian/changelog Tue Apr 22 09:09:37 2008
@@ -1,5 +1,6 @@
cupsys (1.3.7-2) UNRELEASED; urgency=low
+ [ Martin Pitt ]
* debian/control: Add missing build dependency lsb-release. (LP: #211375)
Also wrap long fields, so that they are easier to edit.
* Drop pdftops-wait-eintr.dpatch, an improved version has been committed
@@ -7,7 +8,12 @@
* Rebuild against fixed debhelper to properly compress manpages again (see
#470913). (Closes: #475887, #476495)
- -- Martin Pitt <mpitt at debian.org> Mon, 14 Apr 2008 08:05:20 +0200
+ [ Nico Golde ]
+ * Add debian/patches/CVE-2008-1722.dpatch: Two integer overflows in png
+ image filter allow a denial of service attack and possibly arbitrary code
+ execution. [STR #2790, CVE-2008-1722] (Closes: #476305).
+
+ -- Martin Pitt <mpitt at debian.org> Mon, 21 Apr 2008 17:41:01 +0200
cupsys (1.3.7-1) unstable; urgency=medium
Modified: cupsys/trunk/debian/patches/00list
==============================================================================
--- cupsys/trunk/debian/patches/00list (original)
+++ cupsys/trunk/debian/patches/00list Tue Apr 22 09:09:37 2008
@@ -1,3 +1,4 @@
+CVE-2008-1722.dpatch
freebsd.dpatch
removecvstag.dpatch
pam.dpatch
Added: cupsys/trunk/debian/patches/CVE-2008-1722.dpatch
==============================================================================
--- (empty file)
+++ cupsys/trunk/debian/patches/CVE-2008-1722.dpatch Tue Apr 22 09:09:37 2008
@@ -0,0 +1,78 @@
+#! /bin/sh /usr/share/dpatch/dpatch-run
+## CVE-2008-1722.dpatch by Nico Golde <nion at debian.org>
+##
+## All lines beginning with `## DP:' are a description of the patch.
+## DP: http://www.cups.org/str.php?L2790
+
+ at DPATCH@
+diff -urNad cupsys-1.3.7~/filter/image-png.c cupsys-1.3.7/filter/image-png.c
+--- cupsys-1.3.7~/filter/image-png.c 2007-07-11 23:46:42.000000000 +0200
++++ cupsys-1.3.7/filter/image-png.c 2008-04-21 13:20:12.000000000 +0200
+@@ -3,7 +3,7 @@
+ *
+ * PNG image routines for the Common UNIX Printing System (CUPS).
+ *
+- * Copyright 2007 by Apple Inc.
++ * Copyright 2007-2008 by Apple Inc.
+ * Copyright 1993-2007 by Easy Software Products.
+ *
+ * These coded instructions, statements, and computer programs are the
+@@ -170,16 +170,56 @@
+ * Interlaced images must be loaded all at once...
+ */
+
++ size_t bufsize; /* Size of buffer */
++
++
+ if (color_type == PNG_COLOR_TYPE_GRAY ||
+ color_type == PNG_COLOR_TYPE_GRAY_ALPHA)
+- in = malloc(img->xsize * img->ysize);
++ {
++ bufsize = img->xsize * img->ysize;
++
++ if ((bufsize / img->ysize) != img->xsize)
++ {
++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++ (unsigned)width, (unsigned)height);
++ fclose(fp);
++ return (1);
++ }
++ }
+ else
+- in = malloc(img->xsize * img->ysize * 3);
++ {
++ bufsize = img->xsize * img->ysize * 3;
++
++ if ((bufsize / (img->ysize * 3)) != img->xsize)
++ {
++ fprintf(stderr, "DEBUG: PNG image dimensions (%ux%u) too large!\n",
++ (unsigned)width, (unsigned)height);
++ fclose(fp);
++ return (1);
++ }
++ }
++
++ in = malloc(bufsize);
+ }
+
+ bpp = cupsImageGetDepth(img);
+ out = malloc(img->xsize * bpp);
+
++ if (!in || !out)
++ {
++ fputs("DEBUG: Unable to allocate memory for PNG image!\n", stderr);
++
++ if (in)
++ free(in);
++
++ if (out)
++ free(out);
++
++ fclose(fp);
++
++ return (1);
++ }
++
+ /*
+ * Read the image, interlacing as needed...
+ */
More information about the Pkg-cups-devel
mailing list